All of our cybersecurity based programs are aligned with the federal governments Cybersecurity Maturity Model Certifications (CMMC). Guidelines are below.
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense is in the process of publishing a five-level cybersecurity maturity model, known as the Cybersecurity Maturity Model Certification (CMMC) which will impact the entire defense industrial base. Unlike the current DFARS (NIST 800-171) requirement, the CMMC will require contractors, both prime and subcontractors, to undergo an independent third-party assessment ensuring a prescribed level of cybersecurity maturity has been achieved in order to qualify to be awarded contacts and receive funds from the DoD.
CMMC FAQs
The details for the Cybersecurity Maturity Model Certification are emerging and will remain fluid for some time. However, we can address many of the most frequently asked questions below.
What is the CMMC certification?
The CMMC has five defined levels of cybersecurity maturity, ranging from Level 1 (basic cybersecurity hygiene), to Level 5 (advanced/progressive cybersecurity capabilities). It is designed as means by which the Department of Defense can gauge a company’s ability to protect federal contract information (FCI) and controlled unclassified information (CUI). The CMMC prescribes both processes (policies) and practices (controls) across 17 cybersecurity domains for each maturity level.
What is the CMMC replacing?
Once fully implemented, the CMMC certification requirement will replace the current DFARS (NIST 800-171) requirement. CMMC Level 3 aligns nearly one-for-one to NIST 800-171 Revision 1. The CMMC framework combines various control standards including AIA NAS9933, NIST SP 800-171, NIST SP 800-53, ISO 27001, and ISO 27032 along with more general cybersecurity practices and processes into a singular unified standard for the Department of Defense. Specific to and in contrast to NIST SP 800-171, CMMC will implement multiple levels of cybersecurity rather than a binary classification, and will also not allow POAMs like the current DFARS requirement does.
Why the CMMC model?
The Department of Defense is migrating to the CMMC framework in an effort to enhance cybersecurity of the Defense Industrial Base (DIB) utilizing the CMMC as a form of verification for organizations working with DoD. CMMC will to ensure organizations have achieved “appropriate levels” of cybersecurity maturity in order to protect and defend controlled unclassified information (CUI).
What’s CMMC connection to DOD?
The CMMC has been created and managed by the United States Department of Defense. DoD funds will likely be utilized to fund the creation and management of a third party accreditation body that will qualify C3PAOs (CMMC Third Party Assessment Organizations). The C3PAOs, in turn, will act to assess organizations vying for DoD contracts within both prime or subcontract capacities.